H04L63/08—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network

H04L63/0876—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

H04L63/08—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network

H04L63/0884—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Abstract

A user apparatus (1) sends, via a network (7), a request to access a computer system (3) comprising a plurality of services and a plurality of authentication levels. The system (3) negotiates with a distributed authentication provider (5) to determine a risk associated with the user request and a multi-level authentication scheme for the user. The system then redirects the user to the authentication provider for authentication according to the multi-level scheme, which may involve input by the user of one or more passwords and other identifiers including biometric identification The user is provided with access to the requested service if authentication is successful, which may be notified from the authentication provider to the system using a pre-agreed shared secret associated with the respective authentication level.

Description

USER AUTI-ICINTICATION

FIELD OF THE INVENTION

[0001] The present invention relates to a method for providing a user access to a computer system comprising a plurality of services and a plurality of authentication levels.

The present invention frirther relates to a computer program product comprising computer-readable program code for implementing the steps of such a method when executed on a computer. The present invention yet further relates to a computer system implementing such a method.

BACKGROUND

[0002] Networked computer systems offering a multitude of services to authorized users are commonplace. Indeed, society is shifting towards an electronic way of life, in which many daily tasks are performed over such networks. An unwanted consequence of this shift in paradigm is that criminal activity is also evolving in the electronic realm. Cybercrime including identity thefi is a serious problem, which resuhs in several billions of dollar losses per annum, e.g. because a criminal has assumed the identity of someone else on such a network. This is particularly relevant to financial services, e.g. on-line banking, as well as to on-line shopping services such as Amazon, where user credit card details are stored under a user profile. Other relevant examples will be apparent to the skilled person.

[0003] To counteract such malicious behaviour, a user of such a computer system typically has to go through an authentication process to gain access to the computer system, e.g., by providing a username and password. Although this reduces the risk of identity fraud, i.e. an imposter gaining access to the account of the user, such authentication may not be sufficient to prevent such identity fraud altogether.

[0004] For instance, there is an increasing trend to perform electronic transactions using many different service providers. To access these can require many different user identities and authentication methods to be remembered, Solutions to overcome this requirement to remember many different user identities have been proposed in the form of distributed authentication providers which enable the storage of many identities associated with a single user on an authentication provider apparatus or server.

[0005] Furthermore identity fraud can occur after a device is stolen following its owner is using a service that required authentication, the thief has immediate access to this service without it being protected by the authentication process. Even if the user is not yet authenticated, the mobile device may store at least some of the authentication data in auto complete functions, which may aid the criminal in accessing the service of interest. The same problem can occur if a user is forced by a criminal to access the service of interest or when the user accessed the service through a public access device such as a computer in an Internet café, and did not properly terminate his session before leaving the computer.

[0006] Part of this problem can be addressed by the use of several layers of authentication for critical services, but this can cause further friction with the end user as the end user typically has to memorize several complex passwords associated with the same identity, which often leads to forgotten authentication details, causing frustration for the end user arid increasing cost for the service provider in terms of the provision of call centres and help desks that can assist the end user in regaining access to the requested services.

BRIEF SUMMARY OF THE INVENTION

[0007] The present invention seeks to provide a more robust method for providing a user access to a computer system comprising a plurality of services and a plurality of authentication levels.

[0008] The present invention further seeks to provide a computer program product comprising computer-readable program code for implementing the steps of such a method when executed on a computer.

[0009] The present invention yet further seeks to provide a computer system implementing such a method.

[0010] According to an aspect of the present invention, there is provided a method for providing a user apparatus access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: determining a service request for at least one of the services from a user apparatus; negotiating with a distributed authentication provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; redirecting the user apparatus to access the distributed authentication provider such that the user apparatus authenticates itself at the distributed authentication provider for the authentication level associated with the at least one of the services within the service request; and providing the user apparatus access to the at least one of the services within the service request based on a successful authentication at the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.

[0011] In examples employing such embodiments a service provider may assist in the implementation of a multilevel authentication control system across a distributed authentication platform may be implemented.

[0012] Negotiating with a distributed authentication provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services may comprise negotiating with the distributed authentication provider at least one shared secret for authenticating an authentication message response from the user apparatus originates from the distributed authentication provider.

[0013] Providing the user apparatus access to the at least one of the services within the service request may comprise: determining a successful authentication indicator for the authentication level associated with the at least one of the services within the service request from the user apparatus, the successful authentication indicator comprising the at least one shared secret; enabling the user apparatus access to the at least one of the services within the service request.

[0014] In examples implementing such embodiments the at least one shared secret can be used not only to verify that a successful authentication has occurred (without the need to perform the authentication locally'), but the at least one shared secret can be used to verify the level of authentication and thus enabling the user apparatus access to the services for which it has been authenticated remotely'.

[0015] Negotiating with a distributed authentication provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services may comprise negotiating a value exchange with the distributed authentication provider such that the plurality of services can be mapped to the plurality of authentication levels.

[0016] In such examples employing such embodiments the service provider may negotiate the levels of authentication needed based on the values such as risk (of permitting access) to a resource/service for an authenticated user. In such embodiments the service provider may have a more flexible and secure approach to service provision.

[0017] Negotiating with a distributed authentication provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises associating at least one authentication method with at least one authentication level of the plurality of authentication levels.

[0018] In such examples employing these embodiments the method required to authenticate at a defined level can be determined and provide a more both a flexible and more secure approach to service provision.

[00t9] Associating at least one authentication method with at least one authentication level of the plurality of authentication levels may comprise associating different combinations of authentication methods with each of the plurality of authentication levels.

[0020] Determining a service request for at least one of the services may comprise assigning an authentication level to the at least one of the services within the service request.

[0021] Redirecting the user apparatus to access the distributed authentication provider may comprise generating a redirection message to be sent to the user apparatus, the redirection message comprising an authentication level indicator for an authentication level assigned to the at least one of the services within the service request.

[0022] In these examples employing such embodiments the authentication of the user apparatus is enabled to be graded and controlled by the authentication provider based on the level of authentication requested.

[0023] According to a second aspect there is provided a method for providing a user apparatus access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: generating a service request for at least one of the services; transmitting the service request to a service provider; authenticating with a distributed authentication provider for an authentication level associated with the at least one of the services within the service request; and accessing the at least one of the services within the service request from the service provider based on the successful authentication with the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.

[0024] In examples employing such embodiments a multilevel authentication control system across a distributed authentication platform may be implemented from the viewpoint of the user apparatus.

[0025] The method may further comprise receiving a redirection message from the service provider, the redirection message comprising an authentication level indicator for an authentication level associated with the at least one of the services within the service request.

[0026] In these examples employing such embodiments the authentication of the user apparatus is enabled to be graded and controlled by the authentication provider based on the level of authentication requested.

[0027] Authenticating with the distributed authentication provider for an authentication level associated with the at least one of the services within the service request may comprise: generating an authentication request for the distributed authentication provider, the authentication request comprising an authentication level indicator for an authentication level associated with the at least one of the services within the service request; determining an authentication request response from the distributed authentication provider, the authentication request response comprising an indicator speci1,'ing an authentication specification based on the authentication level associated with the at least one of the services within the service request; generating an authentication message for the distributed authentication provider, the authentication message comprising data based on the authentication specification within the authentication request response; and receiving from the distributed authentication provider an authentication response message, the authentication response message comprising an indicator authenticating the user apparatus for the authentication level associated with the at least one of the services within the service request.

[0028] In such examples employing these embodiments the method required to authenticate at a defined level can be determined and provide a more both a flexible and more secure approach to service provision.

[0029] Accessing the at least one of the services within the service request from the service provider based on the successful authentication with the distributed authentication provider for the authentication level associated with the at least one of the services within the service request may comprise generating an authentication message for the service provider, the authentication message comprising the indicator from the distributed authentication provider authenticating the user apparatus for the authentication level associated with the at least one of the services within the service request.

[0030] According to a third aspect there is provided a method for providing a user apparatus access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: negotiating with a service provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; and authenticating the user apparatus based on an authentication request from the user apparatus for an authentication level associated with at least one of the services within a service request so to enable the service provider to provide the user apparatus access to the at least one of the services within the service request.

[00311 In examples employing such embodiments an authentication provider may assist the implementation of a multilevel authentication control system across a disifibuted authentication platform.

[0032] Negotiating with a service provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services may comprise negotiating with the service provider at least one shared secret for authenticating an authentication message response from the user apparatus.

[0033] In examples implementing such embodiments the at least one shared secret can be used not only to verify that a successful authentication has occurred (without the need to perform the authentication locally'), but the at least one shared secret can be used to verify the level of authentication and thus enabling the user apparatus access to the services for which it has been authenticated remotely'.

[0034] Negotiating with a service provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services may comprise negotiating a value exchange with the service provider such that the plurality of services can be mapped to the plurality of authentication levels, [0035] Negotiating with the service provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services may comprise associating at least one authentication method with at least one authentication level of the plurality of authentication levels, [0036] In such examples employing such embodiments the service provider may negotiate the levels of authentication needed based on the values such as risk (of permitting access) to a resource/service for an authenticated user. The service provider may in such examples have a more flexible and secure approach to service provision.

[0037] Associating at least one authentication method with at least one authentication level of the plurality of authentication levels may comprise associating different combinations of authentication methods with each of the plurality of authentication levels.

[0038] The method may further comprise receiving the authentication request from the user apparatus for an authentication level associated with at least one of the services within a service request comprises, the authentication request comprising an authentication level indicator for the authentication level associated with the at least one of the services within the service request.

[0039] Authenticating the user apparatus for an authentication level associated with at least one of the services within a service request may further comprise: determining an authentication specification based on the authentication level associated with the at least one of the services within the service request; receiving an authentication message from the user apparatus, the authentication message comprising data based on the authentication specification; determining the authentication message data authenticates the user apparatus for the authentication level associated with at least one of the services within the service request; and generating an authentication response message for the user apparatus comprising an indicator for authenticating the user apparatus at the service provider for the authentication level associated with the at least one of the services within the service request.

[0040] A computer program product comprising a computer-readable storage medium having computer-readable program code, when executed on at least one processor of a computer, may cause the computer to implement the steps of the method as described herein.

[0041] According to a fourth aspect there is provided a service provider comprising: a service provider module configured to determine a service request for at least one of a plurality of services from a user apparatus; an association negotiation module configured to negotiate with a distributed authentication provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; an authentication module configured to redirect the user apparatus to access the distributed authentication provider such that the user apparatus authenticates itself at the distributed authentication provider for the authentication level associated with the at least one of the services within the service request; and wherein the authentication module is further configured to provide the user apparatus access to the at least one of the services within the service request based on a successful authentication at the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.

[0042] The association negotiation module may be further configured to negotiate with the distributed authentication provider at least one shared secret for authenticating an authentication message response from the user apparatus originates from the distributed authentication provider.

[0043] The authentication module may be further configured to: detemiine a successful authentication indicator for the authentication lev& associated with the at least one of the services within the service request from the user apparatus, the successful authentication indicator comprising the at least one shared secret; enable the user apparatus access to the at least one of the services within the service request based on the one shared secret.

[0044] The negotiation module may be further configured to negotiate a value exchange with the distributed authentication provider such that the plurality of services can be mapped to the plurality of authentication levels.

[0045] The negotiation module may be further configured to associate at least one authentication method with at least one authentication level of the plurality of authentication levels.

[0046] The negotiation module may be further configured to associate different combinations of authentication methods with each of the plurality of authentication levels.

[0047] The service provider module may be configured to assign an authentication level to the at least one of the services within the service request.

[0048] The authentication module may be configured to generate a redirection message to be sent to the user apparatus, the redirection message comprising an authentication level indicator for an authentication level assigned to the at least one of the services within the service request.

[0049] According to a fifth aspect there is provided a user apparatus comprising: a service module configured to generate a service request for at least one of a plurality of services, wherein the service request is transmitted to a service provider; an authentication module configured to authenticate the computer system with a distributed authentication provider for an authentication level associated with the at least one of the services within the service request; and further configured to access the at least one of the services within the service request from the service provider based on the successful authentication with the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.

[0050] The authentication module may be configured to receive a redirection message from the service provider, the redirection message comprising an authentication level indicator for an authentication level associated with the at east one of the services within the service request.

[0051] The authentication module may be further configured to: generate an authentication request for the distributed authentication provider, the authentication request comprising an authentication level indicator for an authentication level associated with the at least one of the services within the service request; determine an authentication request response from the distributed authentication provider, the authentication request response comprising an indicator specifying an authentication specification based on the authentication level associated with the at least one of the services within the service request; generate an authentication message for the distributed authentication provider, the authentication message comprising data based on the authentication specification within the 1] authentication request response; and receive from the distributed authentication provider an authentication response message, the authentication response message comprising an indicator authenticating the user apparatus for the authentication level associated with the at least one of the services within the service request.

[0052] The authentication module may be configured to generate an authentication message for the service provider, the authentication message comprising the indicator from the distributed authentication provider authenticating the user apparatus for the authentication level associated with the at least one of the services within the service request.

[0053] According to a sixth aspect there is provided a distributed authentication provider comprising: an association negotiation module configured to negotiate with a service provider to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; and an authentication module configured to authenticate the user apparatus based on an authentication request from the user apparatus for an authentication level associated with at least one of the services within a service request enabling the service provider apparatus to provide the user apparatus access to the at least one of the services within the service request.

[0054] The association negotiation module maybe configured to negotiate with the service provider at least one shared secret for authenticating an authentication message response from the user apparatus.

[0055] The association negotiation module may be configured to negotiate a value exchange with the service provider such that the plurality of services can be mapped to the plurality of authentication levels.

[0056] The association negotiation module may be configured to associate at least one authentication method with at least one authentication level of the plurality of authentication levels.

[0057] The association negotiation module may be configured to associate different combinations of authentication methods with each of the plurality of authentication levels.

[0058] The authentication module may be configured to receive the authentication request from the user apparatus for an authentication level associated with at least one of the services within a service request comprises, the authentication request comprising an authentication level indicator for the authentication level associated th the at least one of the services within the service request.

[0059] The association negotiation module may be configured to: determine an authentication specification based on the authentication level associated with the at least one of the services thin the service request; receive an authentication message from the user apparatus, the authentication message comprising data based on the authentication specification; determine the authentication message data authenticates the user apparatus for the authentication level associated with at least one of the services within the service request; and generate an authentication response message for the user apparatus, the authentication response message comprising an indicator for authenticating the user apparatus at the service provider for the authentication level associated with the at least one of the services within the service request.

BRIEF DESCRIPTION OF THE DRAWINGS

[0060] Preferred embodiments of the present invention will now be described, by way of example only, with reference to the following drawings, in which: FIG. 1 schematically depicts a computer system according to some embodiments; FIG. 2 schematically depicts an aspect of a method according to some embodiments; FIG. 3 schematically depicts an aspect of an association between a service provider and an authentication provider according to some embodiments; FIG. 4 schematically depicts an aspect of an authentication between an end user and an authentication provider according to some embodiments; arid FiGs. 5a, 5b, arid 5c schematically depict elements within the computer system shown in Figure according to some embodiments.

DETAILED DESCRIPTION OF TIlE EMBODIMENTS

[0061] It should be understood that the Figures are merely schematic and are not drawn to scale. It should also be understood that the same reference numerals are used throughout the Figures to indicate the same or similar parts.

[0062] In the context of the present application, where embodiments of the present invention constitute a method, it should be understood that such a method is a process for execution by a computer, i.e. is a computer-implementable method. The various steps of the method therefore reflect various parts of a computer program, e.g. various parts of one or more algorithms.

[0063] The various embodiments of the method of the present invention may be stored as computer-executable program code on a computer program product comprising a computer-readable storage medium. The computer-readable storage medium may be any medium that can be accessed by a computer for the retrieval of digital data from said medium. Non-limiting examples of a computer-readable storage medium include a CD, DVD, flash memory card, a USB memory stick, a nmdom access memory, a read-only memory, a computer hard disk, a storage area network, a network server, an Internet server and so on.

[0064] In the context of the present application, a (computer) system may be a single device or a collection of distributed devices that are adapted to execute one or more embodiments of the methods of the present invention, For instance, a system may be a personal computer (PC), a server or a collection of PCs and/or servers connected via a network such as a local area network, the Internet and so on to cooperatively execute at least one embodiment of the methods of the present invention.

[0065] Figure 1 schematically depicts an example computer system according to some embodiments. The computer system in some embodiments may comprise an end user/user agent (EU/UA) apparatus I, which hereafter is referred to as the end user apparatus or end user. The end user apparatus I may be in some embodiments configured to be operated by the end user and may be further configured to access resources or services provided by a r&ying party/service provider (RP/SP) apparatus 3 via a network 7. The relying party/service provider (RP/SP) apparatus 3 may be referred hereafter as the service provider apparatus 3. Furthermore it would be understood that the end user apparatus I may be configured to communicate via the network 7 to an authentication provider/open ID provider (AP/OP) apparatus 5 in order to enable multi-level distributed authentication of the end user at the service provider. The authentication provider/open ID provider (AP/OP) apparatus S may be referred hereafter as the authentication provider apparatus 5.

[0066] The end user apparatus 1 may in some embodiments comprise at least one microprocessor (pP) 13. The microprocessor 13 may be any suitable processing means or apparatus and be configured to fetch and execute computer executable program code. The computer executable program code may for example be stored on a memory 15 which is a computer readable storage medium of any suitable form. The computer readable storage medium may for example include a CD, DVD, flash memory card, a USB memory stick, a random access memory, a read only memory, a computer hard disk, a storage area network, a network server, an internet server and so on.

[0067] Furthermore in some embodiments the end user apparatus I may comprise a user interface (UI) 11 configured to enable the user or end user to interact with the end user apparatus 1. The user interface 11 may for example comprise any suitable input apparatus or means such as: a keyboard, a mouse, a touch screen input, a digital key reader; a digital token reader, Furthermore the user interface II may comprise any suitable output apparatus or means such as: a display of any suitable format such as LED, OLED, LCD or printed display, a speaker or headset suitable for providing an audio output, or a tactile output such as a vibra for providing touch based output.

[0068] The end user apparatus 1 may further comprise a transceiver (Tx/Rx) 17 suitable for communicating via the network 7 to a suitable relying party/service provider apparatus 3 and/or an authentication provider/open lID provider apparatus 5, [0069] With respect to Figure Sa the end user apparatus I is further shown with respect operational modules suitable for implementing distributed authentication according to some embodiments. The end user apparatus I may in some embodiments comprise a service module 4W. The service module 4W may be configured to receive requests from the user interface to retrieve services and/or resources from a remote server such as the relying party/service provider apparatus 3. The service module 401 may thus be configured to generate messages or requests which can be passed over the network 7 requesting these services and/or resources. Furthermore the service module 401 may be configured to receive these services and/or resources following a distributed multilevel authentication process.

[0070] The end user apparatus I may further comprise an authentication module 403.

The authentication module 403 may be configured to communicate with the service provider apparatus 3 and/or the authentication provider apparatus 5 to enable the service module 401 to access the required or requested service or resource.

[0071] The computer system may further comprise a relying party/service provider (RP/SP) apparatus 3. The service provider apparatus 3 may in some embodiments be configured to store and/or access services and/or resources and apply a multi-level authentication control system to the accessing of the services. In other words the service provider apparatus 3 may be configured to permit access to at least one service from a plurality of services based on a correct authentication of a user at a determined authentication level associated with the requested at least one service from the plurality of services.

[0072] With respect to Figure Sb the relying party/service provider apparatus 3 is further shown with respect to operational modules suitable for implementing distributed authentication according to some embodiments. In some embodiments the service provider apparatus 3 comprises a service provider module 411. The service provider module 411 may be configured to receive requests for services and/or resources from the end user and furthermore provide or enable the access to these services and/or resources by an end user following the authentication provider determining a distributed multilevel authentication process for the level of authentication from the plurality of levels of authentication which matches or is associated with the requested at least one service from the plurality of services.

[0073] The service provider apparatus 3 may further comprise an authentication module 413. The authentication module 413 may be configured to receive authentication data or messages from the end user apparatus based on the authentication process between the end user apparatus I and the authentication provider apparatus 5, [0074] The service provider apparatus 3 may further comprise an association negotiation module 415. The association negotiation module 415 may be configured to negotiate association rules with the authentication provider apparatus S in order to establish rules on authentication associated with levels of access to the services and/or resources provided by the service provider apparatus 3.

[0075] In some embodiments the computer system may further comprise the authentication provider/open identifier provider apparatus 5. The authentication provider apparatus 5 may be configured to authenticate the end user apparatus and provide the end user apparatus with a suitable token or data to be forwarded to the service provider indicating the level of authentication which has been obtained from the authentication provider apparatus 5.

[0076] With respect to Figure Sc the authentication provider apparatus 5 is shown with respect to operational modules suitable for implementing distributed authentication according to some embodiments. In some embodiments the authentication provider apparatus 5 may comprise an association negotiation module 421 which is configured to communicate and negotiate with the service provider apparatus 3 suitable evels of authentication and furthermore specifications associated with the levels of authentication, [0077] Furthermore the authentication provider apparatus 5 may comprise an authentication module 423 configured to authenticate an end user apparatus I with respect to a determined authentication levels and therefore with respect to an associated authentication method associated with the determined at least one authentication level from a plurality of authentication levels, Furthermore the authentication module 423 may be configured to supply the end user apparatus 1 with a suitable token or data representing the at least one authentication level from the plurality of authentication levels, [0078] With respect to Figures 2 to 4 a series of operations are shown for multilevel distributed authentication of an end user apparatus 1 within a distributed authentication system according to some embodiments. The end user apparatus 1, and in some embodiments the service module 40], may be configured to generate a request for service or resource message. In some embodiments the message may further comprise an identifier identifying the end user apparatus.

[0079] The operation of generating the request for service message is shown in Figure 2 by step 100.

[0080] The request for service message may then in some embodiments be sent to the service provider apparatus 3.

[0081] The operation of sending the request for service message to the service provider apparatus 3 is shown in Figure 2 by step 101.

[0082] The service provider apparatus 3, and in some embodiments the service provider module 411, may determine or receive the request for service message. The service provider apparatus 3, and in some embodiments the service provider module 411, may then be configured to determine whether the service provider apparatus 3 is able to provide the service and furthermore determine the risk (of permitting access) to a resource/service for an authenticated user and therefore the risks associated with an unauthorised access of the service.

[0083] In some embodiments the service provider apparatus 3, and the service provider module 411 maybe configured to determine whether there is an active or curent association between the service provider apparatus 3 and the authentication provider apparatus 5, Where there is no active or current association, for example where there is no association between the service provider apparatus 3 and the authentication provider apparatus 5 or where the association between the service provider apparatus 3 and the authentication provider apparatus 5 has expired then the service provider apparatus 3 and in some embodiments the service provider module 411 may be configured to initiate the association negotiation module to begin a negotiation with the authentication provider apparatus 5 with respect to agreeing an association and determining a level based distributed authentication

control specification.

[0084] The operation of determining that the service can be provided, the risk determination and the association determination is shown in Figure 2 by step 103.

[0085] Where the service provider apparatus 3, and the service provider module 411 determines that the association has expired or there is no association between the service provider apparatus 3 and the authentication provider apparatus 5 then the service provider apparatus 3, and in some embodiments the association negotiation module 415, is configured to perform an association negotiation between the service provider apparatus 3 and the authentication provider apparatus 5.

[0086] The operation of negotiating an association between the service provider apparatus 3 and the authentication provider apparatus 5 is shown in Figure 2 by step 105.

[0087] With respect to Figure 3 the association negotiation operation is shown in further detail, [0088] In some embodiments the service provider, and in particular the association negotiation module 415, may be configured to generate and transmit an association negotiation request to the authentication provider apparatus 5, The association negotiation request message may in some embodiments comprise a first operation in exchanging an encryption key between the service provider apparatus 3 and the authentication provider apparatus 5, For example in some embodiments the association negotiation request may comprise a first public Diffie-FlelIman value.

[0089] The operation of generating and sending the association negotiation request is shown in Figure 3 by step 20 t.

[0090] The authentication provider apparatus 5, and in some embodiments the association negotiation module 421, may then be configured to receive the initial association negation message and generate a shared secret (value) between the service provider apparatus 3 and the authentication provider apparatus 5. The authentication provider apparatus 5, and in some embodiments the association negotiation module 421, may then further generate a second part of the key exchange, for example by generating a second public Diffie-Hellman value to be sent to the service provider apparatus 3 which is used by the service provider apparatus 3 to generate the same shared secret (value).

[0091] The operation of generating a first shared secret (value) at the authentication provider apparatus 5 is shown in Figure 3 by step 203.

[0092] The operation of generating a response to the service provider apparatus 3 suitable for the service provider apparatus 3 to generate the same shared secret (value) is shown in Figure 3 by step 205.

[0093] In some embodiments the service provider, and in particular the association negotiation module 415, may be configured to generate the same shared secret (value) based on the association negation request response. It would be understood that in some embodiments more than one shared secret or shared secret value can be generated. In such embodiments, for example, each shared secret can be assigned or associated with an authentication level. In such examples the service provider apparatus 3 may verify that the authentication provider 5 has authenticated the user apparatus I for the authentication level by verifying that the shared secret and/or shared secret value received from the user apparatus 1 (originally provided by the authentication provider S when successful authentication has occured at a determined authentication level) matches the assigned or associated level.

[0094] The operation of generating the same shared secret (value) at the service provider apparatus 3 is shown in Figure 3 by step 207.

[0095] The service provider apparatus 3, and in some embodiments the association negotiation module 415, may be further configured to agree on a level negotiation protocol with the authentication provider apparatus 5, and in some embodiments the association negotiation module 425, In such embodiments the authentication negotiation modules 415, 415 exchange messages such that the authentication provider apparatus S and the service provider apparatus 3 agree on a service risk' (of permitting access) to a resource/service for an authenticated user to authentication level mapping.

[0096] The operation of exchanging messages to determine a risk-authentication level mapping is shown in Figure 3 by step 209.

[0097] The service provider apparatus 3, and in some embodiments the association negotiation module 415, may be further configured to agree on a level negotiation protocol with the authentication provider apparatus 5, and in some embodiments the association negotiation module 425. In such embodiments the authentication negotiation modules 415, 421 exchange messages to agree on a specification of authentication methods which are bound to specific authentication levels. Thus for example a first level of authentication could require a simple password, a higher level of authentication could then require an additional biometric component or be provided by an additional digital token or similar only available to the end user operating the end user apparatus 1. 2]

[0098] The operation of exchanging messages determining the specification of authentication methods to be bound to specific authentication levels is shown in Figure 3 by step 2]].

[0099] The service provider apparatus 3, and in some embodiments the authentication negotiation module 415 may then communicate with the authorisation module 413, to enable service access control policy to include notion of levels to any request which has been received by the service provider module 411 from an end user apparatus I. [00100] The writing of access control policy to include the multiple authentication levels in a distributed authentication policy is shown in Figure 3 by step 213.

[00101] An example of a group or plurality of services S1-S4 which could be offered by an example service provider apparatus 3 to an end user apparatus 1 may be a number of financial services and transactions. A non-limiting example of services may be where SI -S4 are services as depicted in Table], although it should be understood that many other types of services are of course equally feasible. Such services are typically associated with different risks (of permitting access) to a resource/service for an authenticated user. Thus for more critical services with a higher risk value or factor a higher level of authentication is required.

Table 1

Service Description

5] Locate ATM in ATM network of the computer system S2 Balance enquiry S3 Pay existing payee S4 Pay new payee [00102] Although in Table 1, Si-S4 are shown as single services, itis equally feasible that 5] -S4 may be classes of services with multiple services per class, Thus for example each of the (classes of) services S l-S4 may be assigned an authentication method from the tiered authentication structure NoA-A4. For instance, each service 51-54 is assigned an authentication level. Furthermore as discussed herein each authentication level may furthermore be mapped onto one or more authentication methods (where no authentication required is an authentication method where authentication is always successful). This mapping of authentication level to authentication method by way of non-limiting example is

shown in Table 2.

Table 2

Method Description

NoA No authentication required Al Prompt user for username and password A2 As Al, plus additional challenge question AS As A2, plus additional key required A4 As A2, plus biometric verification required AS As A3, plus biometric verification required [00103] Again, it is emphasized that the definition of the various authentication methods is by way of non-limiting example only, and that any suitable number and type of authentication methods may be included in the authentication mapping.

[00104] In such a manner each service or service class S1-S4 is assigned or associated with an authentication method from the authentication structure by means of the mapping function. The mapping function itself as discussed herein is a function of a risk profile of the service and user. In other words, the mapping function may be chosen based on the level of confidence or trust in the identity of the user and the risk (of permitting access) to a resource/service for an authenticated user.

[00105] Where there is determined to be an active association between the service provider apparatus 3 and the authentication provider apparatus 5, the service provider apparatus 3, and in some embodiments the service provider module 411 may cause the authentication module 413 to generate an authentication redirection message to the end user apparatus 1 In some embodiments the authentication module 413 is configured to determine the authentication level required for the end user to be able to access the requested service and generate a suitable authentication level indicator, [00106] The operation of determining an authentication level required based on the service request and the authentication specification, and generating a suitable redirection request comprising an indication of the authentication level required is shown in Figure 2 by step 07.

[00107] The service provider apparatus 3 may then transmit the redirection request to the end user apparatus 1.

[00108] The operation of transmitting the redirection request is shown in Figure 2 by step 109.

[00109] The redirection request may be received at the end user apparatus 1. The end user apparatus, and in some embodiments the authentication module 403, may then configured to generate an authentication request message comprising an authentication level indicator based on the indicator level found within the redirection request. For example in an OpenID distributed authentication system the indicator could be indicated by a value

within a message field such as "openid.level".

[00110] The operation of generating an authentication request message comprising an authentication level indicator is shown in Figure 2 by step 111.

[00111] The end user apparatus 1, and in some embodiments the authentication module 403 may then be configured to authenticate the end user apparatus 1 at the authentication provider apparatus 5, and in some embodiments the authentication module 423 for the authentication level indicated within the level indicator.

[00112] The operation of authenticating the end user apparatus I at the authentication provider apparatus 5 for the required authentication level is shown in Figure 2 by step 113.

[00113] With respect to Figure 4 an example operation of authenticating the end user apparatus 1 at the authentication provider apparatus 5 for the required or requested authentication level is shown in further detail.

[00114] In some embodiments the end user apparatus I may transmit the authentication request comprising the authentication level indicator to the authentication provider apparatus [00115] The operation of transmitting the authentication request with the authentication level indicator is shown in Figure 4 by step 30t.

[00116] The authentication provider apparatus 5, and in some embodiments the authentication module 423, may then be configured to determine or generate an authentication request response message. In some embodiments the authentication request response comprises an authorisation specific response based on the authentication level and the negotiated authentication method agreed during the association between the service provider apparatus 3 and authentication provider apparatus 5. For example the determination of the authentication request response may comprise a looking up of the authentication method associated with the requested authentication level and informing the end user apparatus I which authentication method(s) are required.

[OOt t7] The operation of determining or generating an authentication request response message based on the authentication level requested is shown in Figure 4 by step 303.

[00 t t 8] The authentication provider apparatus 5 may further transmit the authentication request response message, which may comprise an authorisation specific response based on the level and the negotiated authentication method agreed during the association between service provider apparatus 3 and authentication provider apparatus 5.

[00119] The operation of transmitting the authentication request response message based on the level of authentication required is shown in Figure 4 by step 305.

[00120] The end user apparatus 1, and in some embodiments the authentication module 403, may then receive the authentication request response message and perform or generate suitable authentication method operations. For example in some embodiments where a first authentication level requires the end user apparatus to provide a user name and password then the end user apparatus I user interface can display this infonnation and receive the suitable user name and password combination. Whereas where a different authentication level an additional identification or authentication token, then the suitable input can be enabled such as enabling a RFID data link where a RFID token is to be received, activating a fingerprint scanner or other body part scanner where a biometric token is to be received.

[00121] The operation of generating an authentication message based on the required authentication method is shown in Figure 4 by step 307.

[00t22] The authentication message comprising the requested or required authentication data from the end user apparatus I may then be transmitted to the authentication provider apparatus 5.

[00t23] The operation of transmitting the authentication message is shown in Figure 4 by step 309.

[00124] The authentication provider apparatus 5, and in some embodiments the authentication module 423, may then authenticate the authentication message from the end user apparatus using the determined method based on the authentication level required.

[00t25] The operation of authenticating the authentication message from the end user using the method based on the authentication level required is shown in Figure 4 by step [00126] The authentication provider apparatus 5, and in some embodiments the authentication module 423, may then determine, generate and transmit an authentication response message to the end user apparatus 1. The authentication response message may comprise a field indicating whether the authentication was successful or not successful, in other words whether the end user apparatus 1 is authenticated at the authentication level.

The authentication response message may further comprise a field indicating where the authentication was successful. For example the message may comprise a field indicating that the end user apparatus 1 has been successfully authenticated at one authentication level but not another authentication level. The authentication response message may also in some embodiments comprise a field indicating the level at which the authentication was successful, Furthermore in some embodiments the authentication response message may comprise a field indicating whether the authentication was successful or not successful and/or the authentication level based on including a shared secret between the service provider apparatus 3 and the authentication provider apparatus 5, wherein the shared secret is further associated with a successful authentication at a determined level.

[00127] The determination and transmitting of an authentication response message to the end user apparatus 1 is shown in Figure 4 by step 313, [00128] The end user apparatus I, and in some embodiments the authentication module 403, may be configured to generate a message to be forwarded to the service provider apparatus I indicating a successful or otherwise authentication from the authentication provider for a specific authentication level based on the authentication response from the authentication apparatus, [00129] This operation of generating a forwarding message is shown in Figure 2 by step 115.

[00130] The forwarded message may then be transmitted from the end user apparatus ito the service provider apparatus 3.

[00131] The operation of transmitting the forwarding message is shown in Figure 2 by step 117, [00132] The service provider apparatus 3. and in some embodiments the authentication module 413 may receive the forwarded message from the end user apparatus, and verify whether the forwarded message indicates a successful authentication of the end user apparatus 1 at the authentication provider apparatus 5. The verification of the authentication, for example, may be determined by verifying the shared secret value against the association shared value, [00133] The service provider apparatus 3, and in some embodiments the service provider module 4]] may, when the authentication is verified, be configured to provide the service and/or resource to the end user apparatus I and in some embodiments the service module 401.

[00134] The operation of enabling access based on the level of authentication is shown in Figure 2 by step 119.

[00135] It would be understood that in some embodiments where the user is required to authenticate for a different or further authentication level, and the association between the service provider apparatus 3 and authentication provider apparatus 5 is active or valid be configured to perform the operations as shown in Figure 4, in other words requesting authentication for the different or further authentication level without the need to perform a new association, [00136] Furthermore although in some examples provided herein the distributed authentication service is provided in the form of an open ID distributed authentication service it would be understood that any suitable distributed authentication operation could be implemented.

[00137] The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention, [00138] The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the follong: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.

[00139] Computer readable program instructions described herein can be down'oaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

[00140] Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server, In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitiy including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.

[00141] Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions, [00t42] These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the frmnction/act specified in the flowchart and/or block diagram block or blocks, [00143] The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

[00 144] The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or cany out combinations of special purpose hardware and computer instructions. 3]

Claims (2)

CLAIMSA method for providing a user apparatus (1) access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: determining a service request for at least one of the services from a user apparatus; negotiating with a distributed authentication provider (5) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; redirecting the user apparatus () to access the distributed authentication provider such that the user apparatus (I) authenticates itself at the distributed authentication provider (5) for the authentication level associated with the at least one of the services within the service request; and providing the user apparatus (]) access to the at least one of the services within the service request based on a successftil authentication at the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.

2. The method as claimed in claim I, wherein negotiating with a distributed authentication provider (5) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises negotiating with the distributed authentication provider (5) at least one shared secret for authenticating an authentication message response from the user apparatus (1) originates from the distributed authentication provider (5).

3, The method as claimed in claim 2, wherein providing the user apparatus (1) access to the at least one of the services within the service request comprises: determining a successful authentication indicator for the authentication level associated with the at least one of the services within the service request from the user apparatus (1), the successful authentication indicator comprising the at least one shared secret; enabling the user apparatus (1) access to the at least one of the services within the service request.

4, The method as claimed in any of claims ito 3, wherein negotiating with a distributed authentication provider (5) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises negotiating a value exchange with the distributed authentication provider (5) such that the plurality of services can be mapped to the plurality of authentication levels, 5. The method as claimed in ally of claims ito 4, wherein negotiating with a distributed authentication provider (5) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises associating at least one authentication method with at least one authentication level of the plurality of authentication levels.6. The method as claimed in any of claims I to 5, wherein determining a service request for at least one of the services comprises assigning an authentication level to the at least one of the services within the service request.7, The method as claimed in claim 6, wherein redirecting the user apparatus (1) to access the distributed authentication provider (5) comprises generating a redirection message to be sent to the user apparatus (i), the redirection message comprising an authentication level indicator for an authentication level assigned to the at least one of the services within the service request.8. A method for providing a user apparatus (1) access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: generating a service request for at least one of the services; transmitting the service request to a service provider (3); authenticating with a distributed authentication provider (5) for an authentication level associated with the at least one of the services within the service request; and accessing the at least one of the services within the service request from the service provider (3) based on the successful authentication with the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.9, The method as claimed in claim 8, further comprising receiving a redirection message from the service provider (3), the redirection message comprising an authentication level indicator for an authentication level associated with the at least one of the services within the service request.10. The method as claimed in any of claims B and 9, wherein authenticating with the distributed authentication provider (5) for an authentication level associated with the at least one of the services within the service request comprises: generating an authentication request for the distributed authentication provider (5), the authentication request comprising an authentication level indicator for an authentication level associated with the at least one of the services within the service request; determining an authentication request response from the distributed authentication provider, the authentication request response comprising an indicator specifying an authentication specification based on the authentication level associated with the at least one of the services within the service request; generating an authentication message for the distributed authentication provider, the authentication message comprising data based on the authentication specification within the authentication request response; and receiving from the distributed authentication provider (5) an authentication response message, the authentication response message comprising an indicator authenticating the user apparatus (1) for the authentication level associated with the at least one of the services within the service request.ii. The method as claimed in claim 10, wherein accessing the at least one of the services within the service request from the service provider (3) based on the successful authentication with the distributed authentication provider (5) for the authentication level associated with the at least one of the services within the service request comprises generating an authentication message for the service provider (3), the authentication message comprising the indicator from the distributed authentication provider (5) authenticating the user apparatus (1) for the authentication level associated with the at least one of the services within the service request.12. A method for providing a user apparatus (I) access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: negotiating with a service provider (3) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; and authenticating the user apparatus (I) based on an authentication request from the user apparatus (1) for an authentication level associated with at least one of the services within a service request so to enabling the service provider to provide the user apparatus (1) access to the at least one of the services within the service request.13. The method as claimed in claim 12, wherein negotiating with a service provider (3) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises negotiating with the service provider (3) at least one shared secret for authenticating an authentication message response from the user apparatus (1).14. The method as claimed in any of claims 12 and 13, wherein negotiating with a service provider (3) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises negotiating a value exchange with the service provider such that the plurality of services can be mapped to the plurality of authentication levels.15. The method as claimed in any of claims 12 to 14, wherein negotiating with the service provider (3) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services comprises associating at least one authentication method with at least one authentication level of the plurality of authentication levels.16. The method as claimed in any of claims 12 to 15, wherein authenticating the user apparatus (1) for an authentication level associated with at least one of the services within a service request further comprises: detennining an authentication specification based on the authentication level associated with the at least one of the services within the service request; receiving an authentication message from the user apparatus (1), the authentication message comprising data based on the authentication specification; detennining the authentication message data authenticates the user apparatus (1) for the authentication level associated with at least one of the services within the service request; and generating an authentication response message for the user apparatus (1) comprising an indicator for authenticating the user apparatus at the service provider (3) for the authentication level associated with the at least one of the services within the service request.17. A computer program product comprising a computer-readable storage medium having computer-readable program code, when executed on at least one processor of a computer, causing the computer to implement the steps of the method of any of claims I to 16.18. A service provider apparatus (3) comprising: a service provider module (411) configured to determine a service request for at least one of a plurality of services from a user apparatus (U; an association negotiation module (415) configured to negotiate with a distributed authentication provider (5) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; an authentication module (413) configured to redirect the user apparatus (1) to access the distributed authentication provider (5) such that the user apparatus (I) authenticates itself at the distributed authentication provider for the authentication level associated with the at least one of the services within the service request; and wherein the authentication module (413) is further configured to provide the user apparatus (I) access to the at least one of the services within the service request based on a successful authentication at the distributed authentication provider (5) for the authentication level associated with the at least one of the services within the service request.19. A user apparatus (I) comprising: a service module (401) configured to generate a service request for at least one of a plurality of services, wherein the service request is transmitted to a service provider (3); an authentication module (403) configured to authenticate the computer system with a distributed authentication provider (5) for an authentication level associated with the at least one of the services within the service request; and further configured to access the at least one of the services within the service request from the service provider (3) based on the successful authentication with the distributed authentication provider for the authentication level associated with the at least one of the services within the service request.20. A distributed authentication provider (5) comprising: an association negotiation module (421) configured to negotiate with a service provider (3) to provide an authentication level based access control for the plurality of authentication levels associated with the plurality of services; and an authentication module (423) configured to authenticate the user apparatus (1) based on an authentication request from the user apparatus (1) for an authentication level associated with at least one of the services within a service request so to enable the service provider apparatus (3) to provide the user apparatus (1) access to the at least one of the services within the service request.